Oz metadata proposal: no to IP addresses, yes to MAC address logging

ASIO spook-in-chief: it's like the phone book, really

Australia's federal government continues to say its proposed (but not yet drafted) metadata retention laws won't impose any new requirements on telecommunications carriers and ISPs.

Following the leak of its confidential discussion paper to mainstream news outlets and the publication of the paper by Fairfax (here), Attorney-General senator George Brandis said in question time: “the nature of the mandatory data retention regime will not give the national security agencies any more powers than they currently have, nor will it require the telecommunication providers to do anything more than they currently do.”

The Senate later passed a motion requiring the government to table documents detailing how it plans to define “metadata”.

Such confusion isn't in the mind of soon-to-retire ASIO chief spook David Irvine, who yesterday likened “metadata” to a telephone directory. “We're not out there exercising mass surveillance. We use [metadata] as frequently as any of us in the old days used to look up a telephone book,” he said.

“If you are going to ask me for a warrant every time I have to go and look up a telephone book … with three or four or five pages of justification … then not only is ASIO going to come to a halt but all law enforcement in Australia is going to come to a halt”.

Irvine is more worried about the impost of warrants than the emergence of technologies like encryption, it seems: he told the National Press Club audience that even users of such technologies "will leave useful points of metadata which will be significant analytical tools for us in the future".

The metadata paper contradicts the government's consistent messaging that metadata access is about preventing terrorism, clearly stating that it is “vital to support law enforcement and security investigations”.

“Data is an integral part of every national security investigation, and in virtually every serious and organised criminal investigation”, the paper states [it really says that, on page 2].

The paper claims that “Nothing in this data set applies to or requires the retention of destination web address identifiers, such as destination IP addresses or URLs” (page 4). “However, operators of such services remain obliged to retain network address allocation records (including Network Address Translation records)”.

However, some aspects of the proposed regime seem even more intrusive than previously anticipated:

“Examples of such identifiers include the unique IMSI of the party receiving the communication, the unique IMEI of the mobile device used to receive the communication, or the MAC address of the network interface used to receive the communication” (emphasis added). ®